Skip to content

Commit

Permalink
Merge pull request #14903 from lpichler/tag_visibility_for_user_and_g…
Browse files Browse the repository at this point in the history 
…roups

Tag visibility for User and MiqGroup model
(cherry picked from commit 8340d21)

https://bugzilla.redhat.com/show_bug.cgi?id=1460979
  • Loading branch information
@gtanzillo @simaishi
gtanzillo authored and simaishi committed Jun 20, 2017
1 parent 904386f commit 3c74854
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 6 deletions.
18 changes: 12 additions & 6 deletions lib/rbac/filterer.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ class Filterer
VmOrTemplate
)

TAGGABLE_FILTER_CLASSES = CLASSES_THAT_PARTICIPATE_IN_RBAC - %w(EmsFolder)
TAGGABLE_FILTER_CLASSES = CLASSES_THAT_PARTICIPATE_IN_RBAC - %w(EmsFolder) + %w(MiqGroup User)

BELONGSTO_FILTER_CLASSES = %w(
VmOrTemplate
Expand Down Expand Up @@ -440,15 +440,21 @@ def scope_to_cloud_tenant(scope, user, miq_group)
klass.tenant_joins_clause(scope).where(tenant_id_clause)
end

def scope_for_user_role_group(klass, scope, miq_group, user)
def scope_for_user_role_group(klass, scope, miq_group, user, managed_filters)
user_or_group = miq_group || user

if user_or_group.try!(:self_service?) && MiqUserRole != klass
scope.where(:id => klass == User ? user.id : miq_group.id)
elsif user_or_group.disallowed_roles
scope.with_allowed_roles_for(user_or_group)
else
scope
if user_or_group.disallowed_roles
scope = scope.with_allowed_roles_for(user_or_group)
end

if MiqUserRole != klass
filtered_ids = pluck_ids(get_managed_filter_object_ids(scope, managed_filters))
end

scope_by_ids(scope, filtered_ids)
end
end

Expand Down Expand Up @@ -480,7 +486,7 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group)
filtered_ids = calc_filtered_ids(associated_class, rbac_filters, user, miq_group, scope_tenant_filter)
scope_by_parent_ids(associated_class, scope, filtered_ids)
elsif [MiqUserRole, MiqGroup, User].include?(klass)
scope_for_user_role_group(klass, scope, miq_group, user)
scope_for_user_role_group(klass, scope, miq_group, user, rbac_filters['managed'])
else
scope
end
Expand Down
38 changes: 38 additions & 0 deletions spec/lib/rbac/filterer_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -383,6 +383,44 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects)
expect(results).to match_array(expected_objects)
end

context 'with tags' do
let!(:tagged_group) { FactoryGirl.create(:miq_group, :tenant => default_tenant) }
let!(:user) { FactoryGirl.create(:user, :miq_groups => [tagged_group]) }
let!(:other_user) { FactoryGirl.create(:user, :miq_groups => [group]) }

before do
tagged_group.entitlement = Entitlement.new
tagged_group.entitlement.set_belongsto_filters([])
tagged_group.entitlement.set_managed_filters([["/managed/environment/prod"]])
tagged_group.save!

tagged_group.tag_with('/managed/environment/prod', :ns => '*')
user.tag_with('/managed/environment/prod', :ns => '*')
end

it 'returns tagged users' do
expect(User.count).to eq(2)
get_rbac_results_for_and_expect_objects(User, [user])
end

it 'returns tagged groups' do
expect(MiqGroup.count).to eq(3)
get_rbac_results_for_and_expect_objects(MiqGroup, [tagged_group])
end

let(:tenant_administrator_user_role) do
FactoryGirl.create(:miq_user_role, :name => MiqUserRole::DEFAULT_TENANT_ROLE_NAME)
end

it 'returns tagged groups when user\'s role has disallowed other roles' do
tagged_group.miq_user_role = tenant_administrator_user_role
tagged_group.save!

expect(MiqGroup.count).to eq(3)
get_rbac_results_for_and_expect_objects(MiqGroup, [tagged_group])
end
end

it "returns all users" do
get_rbac_results_for_and_expect_objects(User, [user, other_user])
end
Expand Down

0 comments on commit 3c74854

Please sign in to comment.